Categories
diy internet sysadmin

Switching from Windows to Linux Desktop

After years of procrastination, I finally did it. I am now using Linux not just on the server side, but as my primary OS, and I can’t be happier.

I have been a Linux user for most of my professional life, but my usage has been limited to the server side of things. Like most people, my working OS has been Windows from day one. There have been attempts to integrated the *nix way of doing things over the years: cygwin, git bash, WSL, running Linux in a VM under Windows. However, the user experience is clunky and there are always issues to work around.

It happens that the time has come to replace my primary working machine – currently a 5 year old notebook running Windows 10. I am a long time fan of the Intel NUC and thought it’s a good opportunity to kill 2 birds with one stone – setup a Linux desktop distro on the Intel NUC to try out the experience.

Choices

I managed to buy a 2nd hand Intel NUC (NUC8i3BEH), complete with 500GB SSD and 8GB RAM. It is not high-end or even mid-end by today’s standards, but I figured it should be good enough for testing.

The immediate problem is deciding which Linux desktop distro to install. And there are a lot of options out there. Since I’m familiar with Ubuntu I decided to limit my options to Ubuntu-based ones. I’m not a fan of the default Ubuntu experience with Unity. After much evaluation I decided on Linux Mint, as it is Windows-like, has LTS support, and does not use snap.

How

Downloading and install Linux Mint is straightforward. I chose the Cinnamon edition, as I wanted the default and up-to-date experience with Mint. On hindsight, I might have done better with Xfce, as it is uses less resources. More importantly, I discovered later that Cinnamon does not have the ability to restore applications (session restoration) after reboot, which Xfce does. It is not a showstopper, but would be a nice to have.

The default appearance and behaviour of Linux Mint is familiar enough that most Windows users would have no problem using it. However, I personally dislike the Mint start icon, and wanted to have a more Windows-like experience (the irony). Here’s what I did:

  • Change the start button
  • Change the trashbin icon
  • Configure a more Explorer look-and-feel
  • Change application icons (Thunderbird, Firefox)
  • Change padding around icons in the taskbar
  • Change shortcut for screen lock, workspace switch

Here is the initial result:

Linux desktop running Windows 10 in QEMU, Firefox, and Gnome terminal
Virtual desktop, or Workspaces, in Cinnamon

First Impressions

I am really surprised that everything feels so snappy. And this is on a low-end i3 processor from 5 generations ago. Going from cold boot to login screen takes 4 seconds. Booting a freshly installed Windows 10 in QEMU takes about 10 seconds. Firefox, Thunderbird, VS code all feels like they have been given a new lease of life. CPU and memory usage is low, compared to Windows 10 with the same number of applications opened. Bluetooth setup took a bit of getting used to, but after it is done everything just works.

Linux Mint comes batteries included, so as to speak. Some may not like it as it does have quite a number of applications that you may not use. But there are surprises like hypnotix which allows me to watch Bloomberg, CNN, CNBC for free, among others. It also comes installed with LibreOffice, which some may not like. Fortunately uninstalling software in Linux is normally a breeze. Mint comes with Software Manager, which makes finding, installing and uninstalling software very easy.

Other Setup

As with any new OS, there are lots of tinkering after the initial setup. Some other things I set up include:

  • Flatseal – extremely useful to manage flatpak permissions.
  • zram – extends swap with compressed RAM. Honestly I haven’t seen real benefits, but that’s probably due to the low memory usage at the moment.
  • Samba – QEMU comes with Samba, so it’s just a matter of configuring it to share my folders with other Windows clients.
  • Tailscale – Tailscale provides a way for all my devices to behave as though they are on the same network, even when they are not (eg. when I bring my notebook to office). It also works for phones. Read my other review.
  • Remmina – Remmina is a remote viewer client that supports RDP and VNC and it works better than the default Remote Viewer client in Linux Mint.
  • Barrier – virtual mouse/keyboard that works across Windows and Linux desktop.
  • Syncthing – to synchronize files across multiple clients, for situations where the device might be used in an offline environment.
  • PlayOnLinux – provides a persistent environment to run Windows applications in Linux via Wine.
  • x11vnc – Linux doesn’t come with Remote Desktop built-in. One popular option is to use one of the VNC servers. x11vnc is a non-commercial solution and is as simple as it gets.
  • Many others like Firefox, Chrome, Thunderbird, git, vscode, vim-gtk etc.

The Good Side

After using Linux Mint daily for 2 weeks, I have fully embraced it and notice I am not using my Windows notebook that much. Some benefits I noted so far:

  • Fantastic developer experience
    • docker, symlink etc just works
    • QEMU is amazingly fast, compared to VirtualBox
    • no more second class citizen using things like git bash, WSL
    • Gnome terminal replaces command prompt, git bash and PuTTy (no more PuTTy key conversion)
  • Control
    • no unexpected Windows update happening at the most inopportune time
    • no funny search indexer or software reporter running in the background causing CPU spikes
    • no disappearing disk space due to WinSxS
    • no more rebooting multiple times after installing applications
    • no more extra folders/files like System Information, $RECYCLE.BIN and Thumbs.db littered everywhere
  • Customization
    • almost anything can be customized to your liking. You might have to find the right docs though
  • Clean install/uninstall
    • you don’t think twice about installing software ‘cos you can always uninstall them cleanly afterwards

Gotchas

It is not all a bed of roses however. There are some gotcha moments too, some which are unexpected:

  • Installing software can be confusing for beginners, ‘cos there are so many ways to do it. You can do it either via a package manager like flatpak, snap, apt/deb, or portable style like AppImage, or adhoc-ly via tarball, curl/bash or compiling from source. It can also be hard to figure out where the config files are (/etc, .local, .config, dconf, within flatpak, etc.)
  • Flatpak packages do not have access to the host file system by default. So if you drag a file from the desktop to your Flatpak app it might not work. This is a common gotcha that will catch Flatpak newbies off guard. Thankfully, you can easily manage permissions using Flatseal.
  • The size of software packages installed can vary wildly depending on packaging type. In one rather extreme example, for the same package, it can take either 1.1MB or 2.3GB(!). More than 2000x difference!

  • Obviously the biggest drawback of a Linux desktop is the inability to run native Windows programs. Well, Wine does a pretty admirable job, but it cannot cover the huge surface area of the Windows API and ecosystem. Running stuff in a VM is sometimes not ideal. I end up falling back to my Windows notebook for the following software:
    • Microsoft Office (yes I know you may be able to run Office 2016 32-bit using Wine, but I don’t really want to go that route)
    • Hyper-V manager
    • SketchUp
    • 3DS Max
    • iTunes
    • Teams Microsoft actually has a Linux version of Teams. Good job!

Remaining Issues

There are some unresolved problems at the time of writing:

  • VPN gets disconnected after my NIC link goes down and up. I have yet to find a good way to restart VPN automatically in network manager.
  • XMind does not open a document that is double-clicked in Files. It just launches the application without opening the document.
  • There is an ever-so-slight initial delay when moving the mouse from rest. Not sure if it’s a bluetooth, driver, or window manager issue. Not a showstopper, but can be annoying.
  • Systray integration in Linux is surprisingly weak. The official Thunderbird doesn’t have systray integration, which means you can’t tell when there’s a new mail or how many unread mails there are. There are unofficial solutions like BirdTray but it doesn’t seem to work with the latest Thunderbird versions.

Conclusion

Given the list of issues I’ll still take Linux over Windows any day. The amount of control – and peace of mind! – you get is irreplaceable. Not to mention good performance, low CPU/memory footprint, amazing developer experience, and stability you get (bye to BSOD). For those who are sitting on the fence, my advice is this: don’t wait! There might be a bit of learning curve, but it is well worth it.

Categories
cloud network security

Tailscale

When I first know about Tailscale, I didn’t “get” it. I read that it is like VPN but not quite the same as your traditional VPN, but I don’t know the details. But since there are a lot of rave reviews from HN users I got curious. After trying it out, I am immediately sold. I have now installed it on all my personal devices.

Tailscale is a revolutionary new way of connecting devices together. Once setup – and it’s very easy to set up – your devices behave just like they are on the same network. No complicated VPN to setup, or persistent connection issues, or remembering IP addresses to access your devices. It just works.

Tailscale is akin to VPN what Dropbox is to file synchronizing.

Tailscale offers a wide range of benefits for businesses and individuals alike. One of the key benefits of Tailscale is that it allows users to access their networks and devices without the need for traditional VPN software. This means that users can access their networks and devices from any device, including smartphones, tablets, and laptops, without the need for additional software or configuration. This makes it extremely convenient for users who need to access their networks and devices while on the go.

Another benefit of Tailscale is that it offers top-of-the-line security. Tailscale uses state-of-the-art encryption to ensure that all data transmitted over the network is secure and protected from cyber threats. This makes it ideal for businesses and organizations that handle sensitive data and need to ensure that it is protected at all times.

The best part is Tailscale is extremely easy to use. It has a simple and intuitive user interface that makes it easy for users of all skill levels to set up and use.

I highly recommend trying it out to just to see how it works. Tailscale is free for personal use.

Categories
programming security

NIST Retires SHA-1 Cryptographic Algorithm | NIST

NIST, the US standards body in charge of cybersecurity, is recommending phasing out the use of SHA-1 due to vulnerabilities in the algorithm and possibility of attacks by powerful machines. Modern browsers have already sunset support for SHA-1. However, older applications may still be using it as a form of checksum.

The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable.

Source: NIST Retires SHA-1 Cryptographic Algorithm | NIST

Categories
ai cloud

Amazon Polly speaks Cantonese

By now, text to speech systems are quite common and widely in use. Tiktok has this feature added as part of their app some time ago. Amazon Polly – Amazon’s version of text-to-speech service – was launched in 2016 and supports quite a large number of languages.

Just this week, AWS announced the availability of a female Cantonese voice to Polly. Upon reading about this, I have to test it out. For the test, I took a sample text from YES 933 facebook page and fed it to Polly. I must say I’m very impressed with the results.

Of course, Amazon Polly is not the first or only Cantonese text-to-speech service out there, but it’s definitely one of the most natural sounding one I’ve heard. Looking forward for more languages to be support.

Footnote: there are some minor modifications to the text to achieve the desired result, eg. to get pauses in the right places, to say nine-three-three instead of nine hundred thirty three etc. But otherwise only default settings are used.

Categories
programming

Image which displays its own MD5 hash

This is very impressive. Someone managed to create an image whose MD5 hash (also known as MD5 sum) is in the image. Why is it impressive? Well, for one, hashes are computed based on the contents of the input, and even making a one bit change creates wildly different hashes. Let me illustrate this with an example:

$ echo -n 1234 | md5sum
81dc9bdb52d04dc20036dbd8313ed055 *-

$ echo -n 1235 | md5sum
9996535e07258a7bbfd8b132435c5962 *-

1234 and 1235 differs by just 1 bit. In binary:

1234 is 00110001 00110010 00110011 00110100
1235 is 00110001 00110010 00110011 00110101

and yet the MD5 hash is totally different. Imagine if you’re trying to create a text document with this content:

The MD5 sum of this is: 12345678901234567890123456789012

Obviously the MD5 hash is not going to be 12345678901234567890123456789012.
It computes to b8aca742ffc52d6bea85fd87a92d3ede.

So you tweak the contents to this:

The MD5 sum of this is: b8aca742ffc52d6bea85fd87a92d3ede

Now the MD5 sum becomes 878da8ba44a3938fdce6da2191f221a1.

The minute you attempt to tweak the contents, the MD5 hash changes.

So it is possible to engineer a text such that the MD5 hash is contained in the text? The answer is probably yes. But you will have to test 2^128 combinations to find it.

Which brings us to the image. Creating an image like this is difficult, due to the encoding and checksums that a valid PNG image needs to have. Yes it’s not the first image-based hash quine (or file that show their own hash), but what makes this even more impressive is the deliberate choice of choosing 1337 to appear at the front and back of the MD5 sum.

Kudos to the author for this achievement.

The image in this post displays its own MD5 hash. You can download and hash it yourself, and it should still match – 1337e2ef42b9bee8de06a4d223a51337 I think this is the first PNG/MD5 hashquine.

Source: Retr0id

Categories
cloud internet

Comparison of AWS Compute Options in 2022

This is a non-exhaustive comparison of the popular AWS compute options. Hopefully it will help someone who’s also evaluating the various options for running your workload in AWS.

EC2 is the oldest and the most popular option as it is the easiest to start with. However you do have to manage a lot of things if you are choosing this option (OS, scaling, HA, etc). As a developer who may not be so familiar with cloud architecture, this can be daunting. Over the years, AWS has been making it easier to deploy code and make it scale. The latest compute product App Runner is a super simple way to write web applications in AWS. Though there are some who reported teething issues using it, I have no doubt those will be fixed in due time when it hits general availability.

Reference:
https://nathanpeck.com/concurrency-compared-lambda-fargate-app-runner/

Categories
cloud sysadmin

Granting AWS billing access to IAM (non-root account) users

By default, IAM users will not be allowed to access the Billing dashboard. This is true even if the user has AdministratorAccess permission. If you use AWS as a non-root/owner account user, but require access to billing and payment, here’s how you can do it.

Create billing IAM policies

  1. Go to IAM: https://console.aws.amazon.com/iam/
  2. Select Policies > Create policy
    1. Choose a service > Enter “Billing”
    2. Check All billing actions
  3. Review > name it “BillingFullAccess” > Create policy

Attach billing policy

You can attach billing policy to users or user groups. For simplicity, let’s assume we are applying it a user.

  1. Go to IAM: https://console.aws.amazon.com/iam/
  2. Select users > choose the user that you want to apply
  3. Select Add permissions > Attach existing policies directly
  4. Check BillingFullAccess
  5. Review > Add permission

Activating access to the AWS billing console

From AWS documentation,

By default, IAM users and roles within an AWS account can’t access the Billing console pages. This is true even if the IAM user or role has IAM policies that grant access to certain Billing features.

The last step is to enable this permission. To do so,

  1. Sign in as root/account owner
  2. Click on your username on the top right and select Account
  3. Scroll down to IAM User and Role Access to Billing Information
  4. Click Edit, check Activate IAM Access
  5. Update

And it’s done. You can now login as the IAM user and access the billing dashboard.

Categories
cloud security sysadmin

New for Amazon GuardDuty – Malware Detection for Amazon EBS Volumes | AWS News Blog

Once configured, AWS GuardDuty will now scan EBS volumes for malware and report its findings when it detects suspicious activities. If you haven’t enable it already, you should do so.

https://aws.amazon.com/blogs/aws/new-for-amazon-guardduty-malware-detection-for-amazon-ebs-volumes/

When you have GuardDuty Malware Protection enabled, a malware scan is initiated when GuardDuty detects that one of your EC2 instances or container workloads running on EC2 is doing something suspicious.

Categories
security

Security Certification Roadmap – Paul Jerimy Media

It’s probably impossible to get every security certification out there. But it’s still fun to see them being listed and classified neatly like this.

IT Security Certification Roadmap charting security implementation, architecture, management, analysis, offensive, and defensive operation certifications.

Source: Security Certification Roadmap – Paul Jerimy Media

Categories
cloud internet privacy

The Era of Borderless Data Is Ending – The New York Times

From data privacy and data residency to digital sovereignty, change is happening, and not necessarily in a good way. The wild west that characterize the Old Internet is being chipped off one block at a time. Some predicts this will lead to the end of general computation and further entrench incumbents, making it even more difficult for new players to break in.

Nations are accelerating efforts to control data produced within their perimeters, disrupting the flow of what has become a kind of digital currency.

Source: The Era of Borderless Data Is Ending – The New York Times